fix(rel): PG images add SHA for image tag (#594)

jdpleiness · web-flow · commit 03292b0215d0 · 2024-12-03T16:30:32.000-05:00
Even with the version, `sg ops` won't replace the sha tag if none is present. ### Checklist - [x] Follow the [manual testing process](https://github.com/sourcegraph/deploy-sourcegraph-helm/blob/main/TEST.md) - [x] Update [changelog](https://github.com/sourcegraph/deploy-sourcegraph-helm/blob/main/charts/sourcegraph/CHANGELOG.md) - [x] Update [Kubernetes update doc](https://docs.sourcegraph.com/admin/updates/kubernetes) ### Test plan CI and local testing
diff --git a/charts/sourcegraph/README.md b/charts/sourcegraph/README.md
@@ -61,7 +61,7 @@ In addition to the documented values, all services also support the following va
 | codeInsightsDB.enabled | bool | `true` | Enable `codeinsights-db` PostgreSQL server |
 | codeInsightsDB.env | object | `{}` | Environment variables for the `codeinsights-db` container |
 | codeInsightsDB.existingConfig | string | `""` | Name of existing ConfigMap for `codeinsights-db`. It must contain a `postgresql.conf` key. |
-| codeInsightsDB.image.defaultTag | string | `"5.10.1164"` | Docker image tag for the `codeinsights-db` image |
+| codeInsightsDB.image.defaultTag | string | `"5.10.1164@sha256:e0f2818ce95cfb1e236feedfdcc2061f97d3d8333b74d8a5b0f1d9430d31ede6"` | Docker image tag for the `codeinsights-db` image |
 | codeInsightsDB.image.name | string | `"postgresql-16-codeinsights"` | Docker image name for the `codeinsights-db` image |
 | codeInsightsDB.init.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":70,"runAsUser":70}` | Security context for the `alpine` initContainer, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) |
 | codeInsightsDB.name | string | `"codeinsights-db"` | Name used by resources. Does not affect service names or PVCs. |
@@ -81,7 +81,7 @@ In addition to the documented values, all services also support the following va
 | codeIntelDB.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":999,"runAsUser":999}` | Security context for the `codeintel-db` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) |
 | codeIntelDB.enabled | bool | `true` | Enable `codeintel-db` PostgreSQL server |
 | codeIntelDB.existingConfig | string | `""` | Name of existing ConfigMap for `codeintel-db`. It must contain a `postgresql.conf` key |
-| codeIntelDB.image.defaultTag | string | `"5.10.1164"` | Docker image tag for the `codeintel-db` image |
+| codeIntelDB.image.defaultTag | string | `"5.10.1164@sha256:3a921369f241fec32659e7e31c31e0d1433d5887894a69e94de6ca3d257f650f"` | Docker image tag for the `codeintel-db` image |
 | codeIntelDB.image.name | string | `"postgresql-16"` | Docker image name for the `codeintel-db` image |
 | codeIntelDB.name | string | `"codeintel-db"` | Name used by resources. Does not affect service names or PVCs. |
 | codeIntelDB.podSecurityContext | object | `{"fsGroup":999,"fsGroupChangePolicy":"OnRootMismatch","runAsUser":999}` | Security context for the `codeintel-db` pod, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
@@ -223,7 +223,7 @@ In addition to the documented values, all services also support the following va
 | pgsql.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":999,"runAsUser":999}` | Security context for the `pgsql` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) |
 | pgsql.enabled | bool | `true` | Enable `pgsql` PostgreSQL server |
 | pgsql.existingConfig | string | `""` | Name of existing ConfigMap for `pgsql`. It must contain a `postgresql.conf` key |
-| pgsql.image.defaultTag | string | `"5.10.1164"` | Docker image tag for the `pgsql` image |
+| pgsql.image.defaultTag | string | `"5.10.1164@sha256:3a921369f241fec32659e7e31c31e0d1433d5887894a69e94de6ca3d257f650f"` | Docker image tag for the `pgsql` image |
 | pgsql.image.name | string | `"postgresql-16"` | Docker image name for the `pgsql` image |
 | pgsql.name | string | `"pgsql"` | Name used by resources. Does not affect service names or PVCs. |
 | pgsql.podSecurityContext | object | `{"fsGroup":999,"fsGroupChangePolicy":"OnRootMismatch","runAsGroup":999,"runAsUser":999}` | Security context for the `pgsql` pod, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
diff --git a/charts/sourcegraph/values.yaml b/charts/sourcegraph/values.yaml
@@ -174,7 +174,7 @@ codeInsightsDB:
   additionalConfig: ""
   image:
     # -- Docker image tag for the `codeinsights-db` image
-    defaultTag: 5.10.1164
+    defaultTag: 5.10.1164@sha256:e0f2818ce95cfb1e236feedfdcc2061f97d3d8333b74d8a5b0f1d9430d31ede6
     # -- Docker image name for the `codeinsights-db` image
     name: "postgresql-16-codeinsights"
   # -- Security context for the `codeinsights-db` container,
@@ -245,7 +245,7 @@ codeIntelDB:
   additionalConfig: ""
   image:
     # -- Docker image tag for the `codeintel-db` image
-    defaultTag: 5.10.1164
+    defaultTag: 5.10.1164@sha256:3a921369f241fec32659e7e31c31e0d1433d5887894a69e94de6ca3d257f650f
     # -- Docker image name for the `codeintel-db` image
     name: "postgresql-16"
   # -- Security context for the `codeintel-db` container,
@@ -729,7 +729,7 @@ pgsql:
   additionalConfig: ""
   image:
     # -- Docker image tag for the `pgsql` image
-    defaultTag: 5.10.1164
+    defaultTag: 5.10.1164@sha256:3a921369f241fec32659e7e31c31e0d1433d5887894a69e94de6ca3d257f650f
     # -- Docker image name for the `pgsql` image
     name: "postgresql-16"
   # -- Security context for the `pgsql` container,
@@ -823,7 +823,6 @@ syntacticCodeIntel:
     # -- Name of the ServiceAccount to be created or an existing ServiceAccount
     name: ""
 
-
 preciseCodeIntel:
   # -- Environment variables for the `precise-code-intel-worker` container
   env:
@@ -1221,7 +1220,14 @@ jaeger:
   # -- Name used by resources. Does not affect service names or PVCs.
   name: "jaeger"
   # -- Default args passed to the `jaeger` binary
-  args: [ "--memory.max-traces=20000", "--sampling.strategies-file=/etc/jaeger/sampling_strategies.json", "--collector.otlp.enabled", "--collector.otlp.grpc.host-port=:4320", "--collector.otlp.http.host-port=:4321" ]
+  args:
+    [
+      "--memory.max-traces=20000",
+      "--sampling.strategies-file=/etc/jaeger/sampling_strategies.json",
+      "--collector.otlp.enabled",
+      "--collector.otlp.grpc.host-port=:4320",
+      "--collector.otlp.http.host-port=:4321",
+    ]
   # -- Security context for the `jaeger` container,
   # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)
   containerSecurityContext:
@@ -1288,7 +1294,8 @@ worker:
   # -- Scale worker horizontally by configuring additional replicas dedicated to specific jobs.
   # for each replica, configure the dedicated jobs to run on this replica.
   # learn more from https://sourcegraph.com/docs/admin/workers#3-split-jobs-and-scale-independently
-  replicas: []
+  replicas:
+    []
     # - jobs: []
     #   resources:
     #     limits:
@@ -1297,7 +1304,7 @@ worker:
     #     requests:
     #       cpu: 500m
     #       memory: 2G
-      
+
   # -- Resource requests & limits for the `worker` container,
   # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)
   resources:
